PCI Compliance For Point of Sale Systems

Sept. 8, 2009 - PRLog -- Make Sure You Secure Your Point-Of-Sale Equipment

While credit card commercials show lines of dancing shoppers happily swiping their credit cards and glorify the convenience of a cashless society, they tend to forget to discuss the very real threat of identify theft at the cash register.

Solidcore's director for embedded solutions, Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that 4 out of five data breaches occur at POS systems.

Locking it Down

These POS systems, if not properly locked down, can be vulnerable to attacks. In the past decades, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) shifted the retail industry standards.

“Standardization has enabled devices to become increasingly interconnected and has allowed for the use of off-the-shelf software on commoditized hardware running commercial or open operating systems, such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and Linux,” Chauhan observes.

According to her, the security risks for POS equipment owners is due to the greater system flexibility and quicker development time of these equipments.

There Could Be Vulnerable Systems

The CEO of Trustwave (www.trustwave.com), Robert J. McCullen, a security firm focusing on the security of information and compliance management solutions, agreed to Chauhan that there are many POS systems that are vulnerable to attacks.

According to McCullen, dial-up swipe machines has a low risk, what's more vulnerable are devices that are computer-based and/or have Internet access; the risk lies in those two prime factors.

According to McCullen, if a POS system stores credit card track data, exploitation can occur, and swipe terminals can be exploited through tampering.

“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.

Chauhan points out other vulnerabilities. She claims that because today’s POS systems are similar to networked PCs, they require constant patching. Chauhan also said that embedded systems have also become vulnerable to unauthorized and inappropriate changes as they are handed off to others in the distribution channel. With these, it often results to malfunctions and can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.

PCI DSS Challenges

Chauhan and McCullen both agreed that Point of Sale equipment is faced with unique challenges with its PCI DSS compliance.

“Requirement 5 states that you must use and regularly update antivirus software,” Chauhan says. The ativirus software can be an overhead expense on a low POS system, she even notes; on the other hand, change control software can eliminate the need for antivirus software.

As an example, NEC Infrontia installed and uses a change control software on its POS offerings whein it prevented unauthorized code from breaking unpatched systems. It allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, according to Chauhan.

The the PCI DSS Requirement 6, developing and maintaining a secure system and application is a must. It also presents unique challenges, Chauhan notes.

It'll be a very challenging on the part of POS equipment providers to ensure their systems provide PCI compliance after shipping them to the dealer network and put into production at the retail location.

According to Chauhan, StoreNext (www.storenext.com), a large supplier of technology and POS systems for independent grocers and small chains, solved PCI DSS Requirement 6 patching challenges by embedding Solidcore change control in its systems.

By simply reducing its patch frequency to quarterly, StoreNext was able to reduce the amount of time they spent on monthly test and patch distribution cycles. The PCI auditing requirement can be met through change control software, claimed Chauhan.

Other thorny areas, as McCullen affirmed, include user-based access controls and data encryption.

-------------------------------------------------------------

Want To Ask A Point of Sale (POS) Expert?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at POS-For-Restaurants.com.

The author of this article is the Vice President of Customer Relations at http://www.pos-for-restaurants.com, with over 20 years experience in the restaurant point of sale industry.

-------------------------------------------------------------

# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!